用于交换模拟的仅限 Azure AD 应用程序的访问 token

Question

我一直在关注this resource在 azure 上创建一个使用 azure Active Directory 进行自身身份验证的应用程序。我们希望使用与交易所和 EWS 托管 API 的身份验证交互中的 token 来模拟我们组织中的每个人，而无需他们登录。

我已在 azure 上向我们的组织注册了一个应用程序并授予其交换权限。创建证书并使用它设置我们的 Azure 应用程序后，我可以通过以下代码使用 ADAL 获取仅限应用程序的访问 token ...

string authority = "https://login.windows.net/{tenant}/oauth2/authorize";
AuthenticationContext authenticationContext = new AuthenticationContext(authority, false);
var certPath = @"C:\path\to\cert\Cert.pfx";
var certfile = System.IO.File.OpenRead(certPath);
var certificateBytes = new byte[certfile.Length];
certfile.Read(certificateBytes, 0, (int)certfile.Length);
var cert = new X509Certificate2(
    certificateBytes,
    PRIVATE_KEY_PASSWORD,
    X509KeyStorageFlags.Exportable |
    X509KeyStorageFlags.MachineKeySet |
    X509KeyStorageFlags.PersistKeySet);

ClientAssertionCertificate cac = new ClientAssertionCertificate(CLIENT_ID, cert);

var token = await authenticationContext.AcquireTokenAsync("https://outlook.office365.com/", cac);

使用此 token ，与 Ews 托管 API 交互的代码如下所示。

ServicePointManager.ServerCertificateValidationCallback = CertificateValidationCallBack;
_ExchangeService = new ExchangeService(ExchangeVersion.Exchange2013_SP1) {
    Credentials = new OAuthCredentials(token),
    Url = new Uri("https://outlook.office365.com/ews/exchange.asmx"),
    ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.PrincipalName, "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="107d7550757d71797c3e737f7d" rel="noreferrer noopener nofollow">[email protected]</a>"),
};

_ExchangeService.HttpHeaders.Add("X-AnchorMailbox", "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5b363e1b3e363a323775383436" rel="noreferrer noopener nofollow">[email protected]</a>");

这似乎是通过托管 API 设置模拟的正确方法，尽管每个请求都会返回 401 未经授权的错误。

我的问题归结为，我在这里做错了什么吗？或者我还需要做些什么才能让我的应用程序访问交换服务器？

article我确实提到了客户同意流程，但该部分的细节尚不清楚。我是否可以在不首先提示他们同意的情况下向每个人授予我的应用程序权限？

Answer 1

它在我这边工作，请首先确认您已为您的应用设置使用具有对所有邮箱的完全访问权限的Exchange Web Services应用程序权限Office 365 Exchange Online受 Azure AD 保护: 为了进行测试，您可以尝试以下代码:

        ExchangeService exchangeService = new ExchangeService(ExchangeVersion.Exchange2013);
        exchangeService.Url = new Uri("https://outlook.office365.com/ews/exchange.asmx");
        exchangeService.ImpersonatedUserId = new ImpersonatedUserId(ConnectingIdType.SmtpAddress, "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="99eae9b7edfcfaf1d9f6aaafacfcaaeea8acb7f6f7f4f0faebf6eaf6ffedb7faf6f4" rel="noreferrer noopener nofollow">[email protected]</a>");
        exchangeService.HttpHeaders.Add("X-AnchorMailbox", "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1d6e6d3369787e755d722e2b28782e6a2c2833727370747e6f726e727b69337e7270" rel="noreferrer noopener nofollow">[email protected]</a>");
        exchangeService.TraceEnabled = true;
        exchangeService.TraceFlags = TraceFlags.All;
        exchangeService.Credentials = new OAuthCredentials(token.AccessToken);
        Folder newFolder = new Folder(exchangeService);
        newFolder.DisplayName = "TestFolder";

        newFolder.Save(WellKnownFolderName.Inbox);

这将在目标帐户的收件箱中创建一个新文件夹。